+
+ const keyId = parsed.keyId
+ if (!keyId) {
+ res.fail({
+ status: HttpStatusCode.FORBIDDEN_403,
+ message: 'Invalid key ID',
+ data: {
+ keyId
+ }
+ })
+ return false
+ }
+
+ logger.debug('Checking HTTP signature of actor %s...', keyId)
+
+ let [ actorUrl ] = keyId.split('#')
+ if (actorUrl.startsWith('acct:')) {
+ actorUrl = await loadActorUrlOrGetFromWebfinger(actorUrl.replace(/^acct:/, ''))
+ }
+
+ const actor = await getOrCreateAPActor(actorUrl)
+
+ const verified = isHTTPSignatureVerified(parsed, actor)
+ if (verified !== true) {
+ logger.warn('Signature from %s is invalid', actorUrl, { parsed })
+
+ res.fail({
+ status: HttpStatusCode.FORBIDDEN_403,
+ message: 'Invalid signature',
+ data: {
+ actorUrl
+ }
+ })
+ return false
+ }
+
+ res.locals.signature = { actor }
+ return true